%% FOSDEM 2003 Presentation %% 800x600 %%%deffont "standard" xfont "-adobe-times-medium-r-*-*-18-*-*-*-*-*-iso8859-1" %%%deffont "example" xfont "-*-courier-medium-r-normal-*-17-*-*-*-*-*-iso8859-1" %% 1024x876 %%deffont "standard" xfont "-adobe-times-medium-r-*-*-24-*-*-*-*-*-iso8859-1" %%deffont "example" xfont "-*-courier-bold-r-normal-*-20-*-*-*-*-*-iso8859-1" %%deffont "thick" tfont "thick.ttf", tmfont "goth.ttf" %deffont "standard" tfont "luxisr.ttf" %deffont "thick" tfont "luxisb.ttf" %deffont "example" tfont "luximr.ttf" %% %% Default settings per each line numbers. %% %default 1 area 90 90, leftfill, size 2, fore "white", back "black", font "thick" %default 2 size 7, vgap 30, prefix " ", fore "red" %default 3 size 2, bar "gray90", vgap 180 %default 4 size 4, fore "gray", vgap 30, font "standard" %% %% Default settings that are applied to TAB-indented lines. %% %tab 1 size 4, vgap 40, prefix " ", icon box "blue" 50 %tab 2 size 4, vgap 40, prefix " ", icon arc "skyblue" 50 %tab 3 size 4, vgap 40, prefix " ", icon delta3 "blue" 40 %% PAGE 1 (TITLE) %page %charset "iso8859-1" %nodefault %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" %bar "skyblue" 6 6 88 %center, fore "Red", font "thick", hgap 10, size 5.5 new cool pf(4) stuff for OpenBSD 3.3 %size 2 %bar "skyblue" 6 6 88 %size 4, fore "gray80" Philipp Bühler Henning Brauer %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" Overview language flexibility shorter, more liberal altq merged filter and queue in one step anchors partitial ruleset loading tables faster for similar rules address pools load balancing smallies minor nits/fixes %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" language flexibility OpenBSD 3.2: %font "example" block in all block out all %font "standard" OpenBSD 3.3 allows: %font "example" block %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" language flexibility OpenBSD 3.2: %font "example" block in all block return-rst in proto tcp all block return-icmp in proto udp all block out all block return-rst out proto tcp all block return-icmp out proto udp all %font "standard" OpenBSD 3.3 allows: %font "example" block return %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" language flexibility one can set a global block policy now which affects any block statement %font "example" set block-policy drop %font "standard" is the default and blocks behave like in 3.2 %font "example" set block-policy return %font "standard" makes every block behave like block return policy can be overriden by explicitely specifying the block method: %font "example" block drop block return %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" language flexibility The order of options is flexible in most cases now. OpenBSD 3.2 required: %font "example" block in log quick on dc0 from any to any port 80 flags S/SA keep state label "xyz" %font "standard" OpenBSD 3.3 allows that to be written in different order, too: %font "example" block in quick log on dc0 from any to any port 80 label "xyz" flags S/SA keep state %font "standard" or %font "example" block in log quick on dc0 from any to any port 80 keep state label "xyz" flags S/SA %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" altq merge Benefits: altq.conf is dead ;-) use pf's packet matching engine: more flexibility, highly optimized packet matching only once, not twice (altq, pf) it is stateful! significantly lower per-packet-cost. --> altq made usable! supported schedulers: CBQ and PRIQ. HFSC will be added later. %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" altq merge Previous altq.conf: %font "example" interface dc0 bandwidth 2M cbq class cbq dc0 root_cl NULL priority 0 pbandwidth 100 class cbq dc0 lan0 root pbandwidth 5 default class cbq dc0 lan1 root pbandwidth 80 filter dc0 lan1 0 0 192.168.0.0 netmask 0xffffff00 0 6 class cbq dc0 lan2 root pbandwidth 15 filter dc0 lan2 0 0 192.168.1.0 netmask 0xffffff00 0 6 %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" altq merge same as pf.conf: %font "example" altq on dc0 bandwidth 2Mb cbq queue { dflt, developers, marketing } queue dflt bandwidth 5% cbq(default) queue developers bandwidth 80% queue marketing bandwidth 15% pass out on dc0 from 192.168.0.0/24 to any keep state queue developers pass out on dc0 from 192.168.1.0/24 to any keep state queue marketing %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" altq merge interface specification: %font "example" altq on dc0 cbq bandwidth 10Mb queue { child1, child2, child3 } %font "standard" enable altq on dc0 use the cbq scheduler define the bandwidth to 10 MBit/s. can be omitted; the interface's bandwidth is used then. child queues are child1, child2, and child3 %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" altq merge queue specificaton: %font "example" queue child1 bandwidth 10% priority 2 { subqueue1, subqueue2 } %font "standard" define queue "child1" referenced from the altq statement earlier assign a bandwidth, 10% of the parent queue's bandwidth. optional. assign a priority, optional %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" altq merge with CBQ, queues build a tree. "subqueue1" and "subqueue2" are children of "child1" in this example. with PRIQ, queues are flat attached to the interface, queues must not have subqueues. %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" altq merge assign packets to a queue using the usual filter rules: %font "example" pass in on dc0 from any to dc0 port 80 keep state queue child1 %font "standard" just append "queue queuename" to your rules. all packets matching this rule or states created from this rule are assigned to the given queue. %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" altq merge two queues can be given: %font "example" pass out on dc0 to port ssh keep state queue(ssh_bulk, ssh_interactive) %font "standard" the second queue is called "priority queue" all packets with a ToS of "lowdelay" are assigned to the priority queue, all other packets are assigned to the other queue usefull for ssh, give interactive sessions priority over bulk transfers (scp) %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" altq merge a simple PRIQ example: %font "example" %size 3 altq on $ext_if priq bandwidth 10Mb queue { pri-low pri-med pri-high } queue pri-low priority 0 queue pri-med priority 1 priq(default) queue pri-high priority 2 pass out on $ext_if proto tcp from any to any port ssh keep state queue(pri-med, pri-high) pass out on $ext_if proto tcp from any to any port www keep state queue pri-med pass in on $ext_if proto tcp from any to any port www keep state queue pri-low %font "standard" %size 4 This can be found at /usr/share/pf/queue3 %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" altq merge and a CBQ example (adopted from /usr/share/pf/queue2): %font "example" %size 3 altq on $ext_if cbq bandwidth 5Mb queue { std, http, ssh } queue std bandwidth 10% cbq(default) queue http bandwidth 60% cbq(borrow red) { staff, hackers } queue hackers bandwidth 75% cbq(borrow) queue staff bandwidth 15% queue ssh bandwidth 20% cbq(borrow) { ssh_prio, ssh_bulk } queue ssh_prio priority 7 queue ssh_bulk priority 0 block return out on $ext_if inet all queue std pass out on $ext_if inet proto tcp from $hackersnet to any port www keep state queue hackers pass out on $ext_if inet proto tcp from $staffnet to any port www keep state queue staff pass out on $ext_if inet proto tcp to any port ssh keep state queue(ssh_bulk, ssh_prio) %font "standard" %size 4 %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" anchors placeholder for rules to be loaded later changing rules inside an anchor does not touch the main ruleset. no reload \ needed, no counters reset. used for authpf(8) and spamd(8) now %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" anchors anywhere in pf.conf: %font "example" anchor foo %font "standard" pf-foo.conf: %font "example" pass in from any to 10.0.0.1 port 80 keep state pass in from any to 10.1.7.4 port 80 keep state %font "standard" load pf-foo.conf independently: %font "example" pfctl -a foo:bar -f pf-foo.conf %font "standard" load another set into the same anchor: %font "example" pfctl -a foo:another -f pf-another.conf %font "standard" remove them independently: %font "example" pfctl -a foo:bar -Fa %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" anchors anchors can be conditional: %font "example" anchor foo on dc0 from any to 10/8 port 80 %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" tables implemented as radix tree - like the kernel routing table very fast lookups bytes/packet counters for each table entry %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" tables %font "example" table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } pass in on dc0 from any to port 80 keep state %font "standard" modify the table without ruleset reload: %font "example" pfctl -t foo -T add 192.168.2.0/23 pfctl -t foo -T remove 10.0.0.0/8 %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" address pools Lists of addresses allowed for translation rules and routing options \ of filter rules (round-robin selection). Single CIDR blocks of addresses supported with various allocation schemes. %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" address pools Allocation schemes: source-hash: \ hashes the source ip address (with a key); the "redirection" IP \ address will always be the same for a given source. bitmask: \ changes the network portion of the IP address, leaving the host \ portion the same. random: \ selects the redirection address at random from the CIDR block. round-robin: \ loops through the block of addresses (or list of addresses) \ sequentially. %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" address pools load balancing: %font "example" nat on dc0 from any to $extip -> { 10.0.0.1, 10.0.0.2 } round-robin %font "standard" stateful IDS balancing: %font "example" pass in on dc0 dup-to { ($IDSif $IDS_ip1), ($IDSif $IDS_ip2) } round-robin from any to $dmz keep state %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" address pools %font "standard" multiple internet connections (outbound balancing): %font "example" nat on $extif1 from $internal to any -> $extip1 nat on $extif2 from $internal to any -> $extip2 pass in on dc0 route-to { ($extif1 $gw1), ($extif2 $gw2) } round-robin from $internal to any keep state %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" smallies tcp window scaling support in the state engine (RFC 1323) "raptor" syncookie fix: send an RST if an invalid packet matches the state \ during handshake. makes the ACK+10000 cookie scheme used by some raptor \ firewalls work with pf full CIDR support: %font "example" pass in from 10/8 to any %font "standard" now correctly expands to %font "example" pass in inet from 10.0.0.0/8 to any %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" smallies network and broadcast address lookup: %font "example" pass in on dc0 from dc0:network to any keep state block in on ! dc0 from any to dc0:broadcast %font "standard" the order requirement (options, scrub, queue, NAT, filter) can be disabled: %font "example" set require-order no %font "standard" flags S syntax removed; full set needs to be specified now: flags S/SA. \ Makes commonly seen errors more difficult %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" smallies packets with invalid checksums are now dropped by pf; prevents \ return-rst/icmp on them which can be used to detect the existance of a \ firewall. mbuf tags are used so the checksum verification is only done once; \ take advantage of NICs with hardware checksum verification. state table size has a default limit of 10000 now, increase with "set limit states" %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" smallies performance boost in skip step calculation, significantly reduces pf rule \ load time for huge rulesets reply-to: like route-to but for packets in the other direction; allows \ enforcement of symmetric routing "static-port" option forces NAT to leave source ports unchanged; this \ can help working with broken protocols which expect a certain source port. %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" Acknowledgments Daniel Hartmeier, Ryan McBride and Cedric Berger for input and the \ continued fun we have developing pf Nick Holland for his crosschecking and the usual fixup of our crappy english Wim Vandeputte for his friendly "Henning and Philipp, we need an OpenBSD talk", beer, and surviving this weekend with us And, of course, to the whole OpenBSD developer team! %% PAGE NEXT %page %bgrad 45 45 256 45 1 "gray" "black" "black" "black" "black" "black" "black" "gray" The unavoidable last page we have cool shirts and posters for sale outside, as well as OpenBSD CDs grant money is running out, donations can be made at \ http://www.openbsd.org/donations.html or outside at our booth beer donations for the hackers are always welcome! %center %size 8 Keep hacking! %% %% EOF